Hands-on security and optimisation challenges for the GitHub Actions certification (GH-200), part of the Certy learning platform.
This repository teaches the security and hardening practices that GitHub Actions engineers are expected to know. It pairs short, focused labs with deliberately defanged "before" workflows and a clean, secure reference workflow.
Maintained by CertyPro. For the full course, see certy-gh200-course-content.
GH-200 dedicates an entire domain to securing and optimising automation. In real teams, the most common GitHub Actions incidents come from a small set of avoidable mistakes: over-broad token permissions, leaked secrets, unpinned third-party actions, missing environment protections, stale action versions, and misuse of the pull_request_target event. These labs walk you through each one.
| Sub-topic | Covered in |
|---|---|
Configure GITHUB_TOKEN permissions for least privilege |
Lab 01 |
| Handle secrets safely and avoid exposure in logs | Lab 02 |
| Reference third-party actions securely (pin to a commit SHA) | Lab 03 |
| Use environments, required reviewers and deployment protection rules | Lab 04 |
| Keep actions up to date with Dependabot version updates | Lab 05 |
Understand the security implications of workflow triggers (pull_request vs pull_request_target) |
Lab 06 |
| High-level awareness of OIDC for keyless cloud authentication | Labs 02 and 04 (concept notes) |
| # | Lab | What you learn |
|---|---|---|
| 01 | Token permissions | Apply least-privilege permissions: to jobs and workflows. |
| 02 | Secret leak risk | How secrets surface in logs, how masking works, and what never to echo. |
| 03 | Third-party action pinning | Pin actions to a full 40-character commit SHA instead of a tag. |
| 04 | Environment protection | Required reviewers, wait timers and deployment branch policies. |
| 05 | Dependabot and actions | Automate action updates with a dependabot.yml. |
| 06 | pull_request_target risk | The pull_request_target footgun and how to handle forked pull requests safely. |
- Read the lab
README.mdin order. Each one explains what is wrong, the task, and how to verify. - Inspect the example workflows in
.github/workflows. Two show insecure patterns (defanged), one is a clean secure reference. - Try to fix the insecure patterns yourself, then check your work against
solutions/README.md.
| File | Purpose | Trigger |
|---|---|---|
insecure-token.yml |
Shows a job with no explicit permissions: (over-broad token). |
workflow_dispatch only |
unpinned-action.yml |
Uses an action pinned to a movable tag rather than a SHA. | workflow_dispatch only |
secure-example.yml |
A correct, least-privilege CI workflow. | pull_request and workflow_dispatch |
The insecure examples in this repository are for learning only and are deliberately defanged. They demonstrate risky patterns through comments and harmless echo steps; they do not leak secrets, do not check out and execute untrusted code, and the insecure ones run only on manual workflow_dispatch so they never fire automatically. Never copy the insecure patterns into a production workflow. Always apply the secure version described in the solutions.
- certy-gh200-course-content - the full GH-200 course.
- gh200-student-actions-lab - general Actions practice lab.
- gh200-broken-workflows - debugging broken workflows.
- gh200-custom-actions-lab - building custom actions.
- gh200-enterprise-admin-sim - enterprise administration scenarios.
- gh200-reusable-workflows-library - reusable workflow patterns.
Released under the MIT Licence.